With a strategically placed rename bind mounts can be tricked into giving processes access to the entire filesystem instead of just a piece of it. This misfeature has existed since bind mounts were introduced into the kernel. This issue has been fixed in Linus's tree and below are my tested backports of the fixes to 4.2.1, 4.1.8, 3.18.21, 3.14.53, 3.12.48, 3.10.89, 3.4.109, 3.2.71, 2.6.32.68. All of the kernels currently listed as being active. The fixes backported are: cde93be45a8a90d8c264c776fab63487b5038a65 dcache: Handle escaped paths in prepend_path 397d425dc26da728396e66d392d5dcb8dac30c37 vfs: Test for and handle paths that are unreachable from their mnt_root As I backported the patches the logical work remained the same but the exact implemenation details changed to fit in with the vfs present in the older kernels. Minor changes were needed for every the backport to every kernel except 4.2.1. Please queue these changes for the appropriate stable trees.
Attachment:
bind-4.2.mbox
Description: application/mbox
Attachment:
bind-4.1.mbox
Description: application/mbox
Attachment:
bind-3.18.mbox
Description: application/mbox
Attachment:
bind-3.14.mbox
Description: application/mbox
Attachment:
bind-3.12.mbox
Description: application/mbox
Attachment:
bind-3.10.mbox
Description: application/mbox
Attachment:
bind-3.4.mbox
Description: application/mbox
Attachment:
bind-3.2.mbox
Description: application/mbox
Attachment:
bind-2.6.32.mbox
Description: application/mbox
Eric